Merge ~ahasenack/ubuntu/+source/bind9:disco-bind9-merge-9.11.5 into ubuntu/+source/bind9:debian/sid
- Git
- lp:~ahasenack/ubuntu/+source/bind9
- disco-bind9-merge-9.11.5
- Merge into debian/sid
Status: | Merged |
---|---|
Approved by: | Andreas Hasenack |
Approved revision: | 7d482c21f2a44a48e7b7467705f95eb3ffd5e5c4 |
Merge reported by: | Andreas Hasenack |
Merged at revision: | 7d482c21f2a44a48e7b7467705f95eb3ffd5e5c4 |
Proposed branch: | ~ahasenack/ubuntu/+source/bind9:disco-bind9-merge-9.11.5 |
Merge into: | ubuntu/+source/bind9:debian/sid |
Diff against target: |
752 lines (+472/-83) 10 files modified
debian/bind9.install (+0/-2) debian/changelog (+400/-0) debian/control (+2/-5) debian/dnsutils.install (+0/-2) debian/libdns1104.symbols (+0/-66) debian/patches/enable-udp-in-host-command.diff (+26/-0) debian/patches/fix-shutdown-race.diff (+41/-0) debian/patches/series (+2/-0) debian/rules (+1/-4) debian/tests/simpletest (+0/-4) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Christian Ehrhardt (community) | Approve | ||
Canonical Server | Pending | ||
git-ubuntu developers | Pending | ||
Review via email: mp+360691@code.launchpad.net |
Commit message
Description of the change
Merge from debian
Bileto ticket: https:/
This is going to need some rebuilds, due to soname bumps:
- bind-dyndb-ldap
- isc-dhcp
- debian-installer
I tested all of them and isc-dhcp actually needed a patch to build with 9.11.5, which I grabbed from debian. I'll MP that too, and the other two are just plain no-change rebuilds.
Some delta was dropped, which is good.
Of the bits that were added, two are applied fixed upstream, so they should vanish soon, but the remaining one is a dep8 change we had to make because our autopkgtest farm doesn't have easy egress access. I tried for a while to come up with ways to detect that and skip the test in this case, which would be acceptable for debian I think, or even find out which resolver the system is using and pointing bind at it via a "forwarders" config directive, but it didn't work out as well as I had hoped. I couldn't even be sure if using a forwarder wasn't going to taint that particular dnssec test.
Since I had spent a lot of time on this already, I decided to just drop that test.
The only remaining delta we have, apart from this new dep8 change, is related to dependencies in universe.
This debian change made me think: https:/
It's this d/rules bit:
override_
dh_shlibdeps
# Downgrade libcrypto1.1-udeb dependency from 1.1.1 to 1.1.0
# The udebs don't use any newer symbols, but due to them using
# shlibs the dependency is generated anyway. This blocks migration
# to testing until OpenSSL 1.1.1 is sorted out
sed -i 's:libcrypto1.
Ubuntu has libcrypto1.1-udeb version 1.1.1a in disco:
libcrypto1.1-udeb | 1.1.1a-1ubuntu2 | disco/main/
Debian too, at the moment:
libcrypto1.1-udeb | 1.1.1a-1 | unstable | amd64, arm64, armel, armhf, hurd-i386, i386, kfreebsd-amd64, kfreebsd-i386, mips, mips64el, mipsel, ppc64el, s390x
That sed line from d/rules no longer matches, because it's looking for 1.1.1, and both debian and ubuntu have 1.1.1a nowadays. It's a noop and not worth adding a delta for. Eventually debian will drop it.
Andreas Hasenack (ahasenack) wrote : | # |
Andreas Hasenack (ahasenack) wrote : | # |
All good
Christian Ehrhardt (paelzer) wrote : | # |
- All your considerations sound fine to me
- Neither the Debian nor the upstream changelog gave me other reasons to doubt this would be good
- Changes correctly retained/dropped
- yes to the egres test dropping
- patches added are upstream and seem safe
Strictly speaking the commit messages and changeelog could be slightly updated:
+ d/rules: don't build dnstap => add "... nor install dnstap.proto"
+ d/libdns1102.
But that is up to you.
The autopkgtests look good, I think last cycle we also ran [1] against it.
I don't remember if that was helpful, if it was you might run that again before an upload.
All my feedback was ack/suggestion - so you already have my +1 on this - thanks for the Merge!
[1]: https:/
- 995f96b... by Andreas Hasenack
-
merge-changelogs
- 60f880e... by Andreas Hasenack
-
reconstruct-
changelog - acc2688... by Andreas Hasenack
-
update-maintainer
Andreas Hasenack (ahasenack) wrote : | # |
Good suggestions, particularly the libdns1104.symbols one. I remember I was amazed how git was able to track the patch across a file rename, but didn't think about checking the filename in the changelog message.
I push-forced these changes, sorry, but I wanted to keep the changelog auto-generated correctly via git ubuntu merge finish.
I'll next run the qa-regression tests.
Christian Ehrhardt (paelzer) wrote : | # |
Ack to the changelog changes - thanks!
Andreas Hasenack (ahasenack) wrote : | # |
Regarding the qa-regression-
9.11.4 (current in disco): https:/
9.11.5 (this MP): https:/
Since it's the same tests that failed, it's no regression. I asked #security and #ubuntu-hardened if these are known failures.
Andreas Hasenack (ahasenack) wrote : | # |
Tagged and uploaded, thanks.
Andreas Hasenack (ahasenack) wrote : | # |
This migrated.
Preview Diff
1 | diff --git a/debian/bind9.install b/debian/bind9.install | |||
2 | index 26d595e..fd7f0f5 100644 | |||
3 | --- a/debian/bind9.install | |||
4 | +++ b/debian/bind9.install | |||
5 | @@ -16,7 +16,6 @@ usr/sbin/genrandom | |||
6 | 16 | usr/sbin/isc-hmac-fixup | 16 | usr/sbin/isc-hmac-fixup |
7 | 17 | usr/sbin/named | 17 | usr/sbin/named |
8 | 18 | usr/sbin/named-journalprint | 18 | usr/sbin/named-journalprint |
9 | 19 | usr/sbin/named-nzd2nzf | ||
10 | 20 | usr/sbin/named-pkcs11 | 19 | usr/sbin/named-pkcs11 |
11 | 21 | usr/sbin/nsec3hash | 20 | usr/sbin/nsec3hash |
12 | 22 | usr/sbin/tsig-keygen | 21 | usr/sbin/tsig-keygen |
13 | @@ -32,7 +31,6 @@ usr/share/man/man8/dnssec-importkey.8 | |||
14 | 32 | usr/share/man/man8/genrandom.8 | 31 | usr/share/man/man8/genrandom.8 |
15 | 33 | usr/share/man/man8/isc-hmac-fixup.8 | 32 | usr/share/man/man8/isc-hmac-fixup.8 |
16 | 34 | usr/share/man/man8/named-journalprint.8 | 33 | usr/share/man/man8/named-journalprint.8 |
17 | 35 | usr/share/man/man8/named-nzd2nzf.8 | ||
18 | 36 | usr/share/man/man8/named.8 | 34 | usr/share/man/man8/named.8 |
19 | 37 | usr/share/man/man8/nsec3hash.8 | 35 | usr/share/man/man8/nsec3hash.8 |
20 | 38 | usr/share/man/man8/tsig-keygen.8 | 36 | usr/share/man/man8/tsig-keygen.8 |
21 | diff --git a/debian/changelog b/debian/changelog | |||
22 | index 1e26d11..91bda1e 100644 | |||
23 | --- a/debian/changelog | |||
24 | +++ b/debian/changelog | |||
25 | @@ -1,3 +1,42 @@ | |||
26 | 1 | bind9 (1:9.11.5+dfsg-1ubuntu1) disco; urgency=medium | ||
27 | 2 | |||
28 | 3 | * Merge with Debian unstable. Remaining changes: | ||
29 | 4 | - Build without lmdb support as that package is in Universe | ||
30 | 5 | - Don't build dnstap as it depends on universe packages: | ||
31 | 6 | + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and | ||
32 | 7 | protobuf-c-compiler (universe packages) | ||
33 | 8 | + d/dnsutils.install: don't install dnstap | ||
34 | 9 | + d/libdns1104.symbols: don't include dnstap symbols | ||
35 | 10 | + d/rules: don't build dnstap nor install dnstap.proto | ||
36 | 11 | * Dropped: | ||
37 | 12 | - SECURITY UPDATE: denial of service crash when deny-answer-aliases | ||
38 | 13 | option is used | ||
39 | 14 | + debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could | ||
40 | 15 | trigger a crash if deny-answer-aliases was set | ||
41 | 16 | + debian/patches/CVE-2018-5740-2.patch: add tests | ||
42 | 17 | + debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set | ||
43 | 18 | chainingp correctly, add test | ||
44 | 19 | + CVE-2018-5740 | ||
45 | 20 | [Fixed in new upstream version 9.11.5] | ||
46 | 21 | - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the | ||
47 | 22 | line (Closes: #904983) | ||
48 | 23 | [Fixed in 1:9.11.4+dfsg-4] | ||
49 | 24 | - Add a patch to fix named-pkcs11 crashing on startup. (LP #1769440) | ||
50 | 25 | [Fixed in 1:9.11.4.P1+dfsg-1] | ||
51 | 26 | - Cherrypick from debian: Add new dst__openssleddsa_init optional symbol | ||
52 | 27 | (it depends on OpenSSL version) (Closes: #897643) | ||
53 | 28 | [Fixed in 1:9.11.4.P1+dfsg-1] | ||
54 | 29 | * Added: | ||
55 | 30 | - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line | ||
56 | 31 | option (LP: #1804648) | ||
57 | 32 | - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted | ||
58 | 33 | close to a query timeout (LP: #1797926) | ||
59 | 34 | - d/t/simpletest: drop the internetsociety.org test as it requires | ||
60 | 35 | network egress access that is not available in the Ubuntu autopkgtest | ||
61 | 36 | farm. | ||
62 | 37 | |||
63 | 38 | -- Andreas Hasenack <andreas@canonical.com> Thu, 13 Dec 2018 19:40:23 -0200 | ||
64 | 39 | |||
65 | 1 | bind9 (1:9.11.5+dfsg-1) unstable; urgency=medium | 40 | bind9 (1:9.11.5+dfsg-1) unstable; urgency=medium |
66 | 2 | 41 | ||
67 | 3 | * Use team+dns@tracker.debian.org as Maintainer address | 42 | * Use team+dns@tracker.debian.org as Maintainer address |
68 | @@ -59,6 +98,55 @@ bind9 (1:9.11.4+dfsg-4) unstable; urgency=medium | |||
69 | 59 | 98 | ||
70 | 60 | -- Bernhard Schmidt <berni@debian.org> Mon, 30 Jul 2018 16:28:21 +0200 | 99 | -- Bernhard Schmidt <berni@debian.org> Mon, 30 Jul 2018 16:28:21 +0200 |
71 | 61 | 100 | ||
72 | 101 | bind9 (1:9.11.4+dfsg-3ubuntu5) cosmic; urgency=high | ||
73 | 102 | |||
74 | 103 | * No change rebuild against openssl 1.1.1 with TLS 1.3 support. | ||
75 | 104 | |||
76 | 105 | -- Dimitri John Ledkov <xnox@ubuntu.com> Sat, 29 Sep 2018 01:36:45 +0100 | ||
77 | 106 | |||
78 | 107 | bind9 (1:9.11.4+dfsg-3ubuntu4) cosmic; urgency=medium | ||
79 | 108 | |||
80 | 109 | * SECURITY UPDATE: denial of service crash when deny-answer-aliases | ||
81 | 110 | option is used | ||
82 | 111 | - debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could | ||
83 | 112 | trigger a crash if deny-answer-aliases was set | ||
84 | 113 | - debian/patches/CVE-2018-5740-2.patch: add tests | ||
85 | 114 | - debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set | ||
86 | 115 | chainingp correctly, add test | ||
87 | 116 | - CVE-2018-5740 | ||
88 | 117 | |||
89 | 118 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Sep 2018 11:11:05 +0200 | ||
90 | 119 | |||
91 | 120 | bind9 (1:9.11.4+dfsg-3ubuntu3) cosmic; urgency=medium | ||
92 | 121 | |||
93 | 122 | * Cherrypick from debian: Add new dst__openssleddsa_init optional symbol | ||
94 | 123 | (it depends on OpenSSL version) (Closes: #897643) | ||
95 | 124 | |||
96 | 125 | -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 18 Sep 2018 10:39:12 +0200 | ||
97 | 126 | |||
98 | 127 | bind9 (1:9.11.4+dfsg-3ubuntu2) cosmic; urgency=medium | ||
99 | 128 | |||
100 | 129 | * d/p/skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11 | ||
101 | 130 | crashing on startup. (LP: #1769440) | ||
102 | 131 | |||
103 | 132 | -- Karl Stenerud <karl.stenerud@canonical.com> Thu, 30 Aug 2018 07:11:39 -0700 | ||
104 | 133 | |||
105 | 134 | bind9 (1:9.11.4+dfsg-3ubuntu1) cosmic; urgency=medium | ||
106 | 135 | |||
107 | 136 | * Merge with Debian unstable. Remaining changes: | ||
108 | 137 | - Build without lmdb support as that package is in Universe | ||
109 | 138 | * Added: | ||
110 | 139 | - Don't build dnstap as it depends on universe packages: | ||
111 | 140 | + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and | ||
112 | 141 | protobuf-c-compiler (universe packages) | ||
113 | 142 | + d/dnsutils.install: don't install dnstap | ||
114 | 143 | + d/libdns1102.symbols: don't include dnstap symbols | ||
115 | 144 | + d/rules: don't build dnstap | ||
116 | 145 | - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the | ||
117 | 146 | line (Closes: #904983) | ||
118 | 147 | |||
119 | 148 | -- Andreas Hasenack <andreas@canonical.com> Mon, 30 Jul 2018 10:56:04 -0300 | ||
120 | 149 | |||
121 | 62 | bind9 (1:9.11.4+dfsg-3) unstable; urgency=medium | 150 | bind9 (1:9.11.4+dfsg-3) unstable; urgency=medium |
122 | 63 | 151 | ||
123 | 64 | * Enable IDN support for dig+host using libidn2 (Closes: #459010) | 152 | * Enable IDN support for dig+host using libidn2 (Closes: #459010) |
124 | @@ -89,6 +177,19 @@ bind9 (1:9.11.4+dfsg-1) unstable; urgency=medium | |||
125 | 89 | 177 | ||
126 | 90 | -- Ondřej Surý <ondrej@debian.org> Sat, 14 Jul 2018 12:27:56 +0000 | 178 | -- Ondřej Surý <ondrej@debian.org> Sat, 14 Jul 2018 12:27:56 +0000 |
127 | 91 | 179 | ||
128 | 180 | bind9 (1:9.11.3+dfsg-2ubuntu1) cosmic; urgency=medium | ||
129 | 181 | |||
130 | 182 | * Merge with Debian unstable (LP: #1777935). Remaining changes: | ||
131 | 183 | - Build without lmdb support as that package is in Universe | ||
132 | 184 | * Drop: | ||
133 | 185 | - SECURITY UPDATE: improperly permits recursive query service | ||
134 | 186 | + debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling | ||
135 | 187 | in bin/named/server.c. | ||
136 | 188 | + CVE-2018-5738 | ||
137 | 189 | [Applied in Debian's 1:9.11.3+dfsg-2] | ||
138 | 190 | |||
139 | 191 | -- Andreas Hasenack <andreas@canonical.com> Wed, 20 Jun 2018 17:42:16 -0300 | ||
140 | 192 | |||
141 | 92 | bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium | 193 | bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium |
142 | 93 | 194 | ||
143 | 94 | * [CVE-2018-5738]: Add upstream fix to close the default open recursion | 195 | * [CVE-2018-5738]: Add upstream fix to close the default open recursion |
144 | @@ -97,6 +198,24 @@ bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium | |||
145 | 97 | 198 | ||
146 | 98 | -- Ondřej Surý <ondrej@debian.org> Thu, 14 Jun 2018 13:01:47 +0000 | 199 | -- Ondřej Surý <ondrej@debian.org> Thu, 14 Jun 2018 13:01:47 +0000 |
147 | 99 | 200 | ||
148 | 201 | bind9 (1:9.11.3+dfsg-1ubuntu2) cosmic; urgency=medium | ||
149 | 202 | |||
150 | 203 | * SECURITY UPDATE: improperly permits recursive query service | ||
151 | 204 | - debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling | ||
152 | 205 | in bin/named/server.c. | ||
153 | 206 | - CVE-2018-5738 | ||
154 | 207 | |||
155 | 208 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 11 Jun 2018 09:41:51 -0400 | ||
156 | 209 | |||
157 | 210 | bind9 (1:9.11.3+dfsg-1ubuntu1) bionic; urgency=low | ||
158 | 211 | |||
159 | 212 | * New upstream release. (LP: #1763572) | ||
160 | 213 | - fix a crash when configured with ipa-dns-install | ||
161 | 214 | * Merge from Debian unstable. Remaining changes: | ||
162 | 215 | - Build without lmdb support as that package is in Universe | ||
163 | 216 | |||
164 | 217 | -- Timo Aaltonen <tjaalton@debian.org> Fri, 13 Apr 2018 07:40:47 +0300 | ||
165 | 218 | |||
166 | 100 | bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium | 219 | bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium |
167 | 101 | 220 | ||
168 | 102 | [ Bernhard Schmidt ] | 221 | [ Bernhard Schmidt ] |
169 | @@ -121,6 +240,61 @@ bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium | |||
170 | 121 | 240 | ||
171 | 122 | -- Bernhard Schmidt <berni@debian.org> Fri, 23 Mar 2018 00:09:58 +0100 | 241 | -- Bernhard Schmidt <berni@debian.org> Fri, 23 Mar 2018 00:09:58 +0100 |
172 | 123 | 242 | ||
173 | 243 | bind9 (1:9.11.2.P1-1ubuntu5) bionic; urgency=medium | ||
174 | 244 | |||
175 | 245 | * debian/patches/nsupdate-gssapi-fails-ad-45854.patch: fix updating | ||
176 | 246 | DNS records in Microsoft AD using GSSAPI. Thanks to Mark Andrews | ||
177 | 247 | <marka@isc.org>. (LP: #1755439) | ||
178 | 248 | |||
179 | 249 | -- Andreas Hasenack <andreas@canonical.com> Fri, 16 Mar 2018 09:38:46 -0300 | ||
180 | 250 | |||
181 | 251 | bind9 (1:9.11.2.P1-1ubuntu4) bionic; urgency=medium | ||
182 | 252 | |||
183 | 253 | * Fix apparmor profile filename (LP: #1754981) | ||
184 | 254 | |||
185 | 255 | -- Andreas Hasenack <andreas@canonical.com> Thu, 15 Mar 2018 10:06:57 -0300 | ||
186 | 256 | |||
187 | 257 | bind9 (1:9.11.2.P1-1ubuntu3) bionic; urgency=high | ||
188 | 258 | |||
189 | 259 | * No change rebuild against openssl1.1. | ||
190 | 260 | |||
191 | 261 | -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 12:14:22 +0000 | ||
192 | 262 | |||
193 | 263 | bind9 (1:9.11.2.P1-1ubuntu2) bionic; urgency=medium | ||
194 | 264 | |||
195 | 265 | * Build without lmdb support as that package is in Universe (LP: #1746296) | ||
196 | 266 | - d/control: remove Build-Depends on liblmdb-dev | ||
197 | 267 | - d/rules: configure --without-lmdb | ||
198 | 268 | - d/bind9.install: drop named-nzd2nzf and named-nzd2nzf.8 as it requires | ||
199 | 269 | lmdb. | ||
200 | 270 | |||
201 | 271 | -- Andreas Hasenack <andreas@canonical.com> Tue, 30 Jan 2018 15:21:23 -0200 | ||
202 | 272 | |||
203 | 273 | bind9 (1:9.11.2.P1-1ubuntu1) bionic; urgency=medium | ||
204 | 274 | |||
205 | 275 | * Merge with Debian unstable (LP: #1744930). | ||
206 | 276 | * Drop: | ||
207 | 277 | - Add RemainAfterExit to bind9-resolvconf unit configuration file | ||
208 | 278 | (LP #1536181). | ||
209 | 279 | [fixed in 1:9.10.6+dfsg-4] | ||
210 | 280 | - rules: Fix path to libsofthsm2.so. (LP #1685780) | ||
211 | 281 | [adopted in 1:9.10.6+dfsg-5] | ||
212 | 282 | - d/p/CVE-2016-8864-regression-test.patch: tests for the regression | ||
213 | 283 | introduced with the CVE-2016-8864.patch and fixed in | ||
214 | 284 | CVE-2016-8864-regression.patch. | ||
215 | 285 | [applied upstream] | ||
216 | 286 | - d/p/CVE-2016-8864-regression2-test.patch: tests for the second | ||
217 | 287 | regression (RT #44318) introduced with the CVE-2016-8864.patch | ||
218 | 288 | and fixed in CVE-2016-8864-regression2.patch. | ||
219 | 289 | [applied upstream] | ||
220 | 290 | - d/control, d/rules: add json support for the statistics channels. | ||
221 | 291 | (LP #1669193) | ||
222 | 292 | [adopted in 1:9.10.6+dfsg-5] | ||
223 | 293 | * d/p/add-ply-dependency-to-python-scripts.patch: setup.py is missing | ||
224 | 294 | listing the python ply module as a dependency (Closes: #888463) | ||
225 | 295 | |||
226 | 296 | -- Andreas Hasenack <andreas@canonical.com> Fri, 26 Jan 2018 11:20:33 -0200 | ||
227 | 297 | |||
228 | 124 | bind9 (1:9.11.2.P1-1) unstable; urgency=medium | 298 | bind9 (1:9.11.2.P1-1) unstable; urgency=medium |
229 | 125 | 299 | ||
230 | 126 | * New upstream version 9.11.2-P1 | 300 | * New upstream version 9.11.2-P1 |
231 | @@ -296,6 +470,140 @@ bind9 (1:9.10.6+dfsg-1) unstable; urgency=medium | |||
232 | 296 | 470 | ||
233 | 297 | -- Ondřej Surý <ondrej@debian.org> Fri, 06 Oct 2017 06:18:21 +0000 | 471 | -- Ondřej Surý <ondrej@debian.org> Fri, 06 Oct 2017 06:18:21 +0000 |
234 | 298 | 472 | ||
235 | 473 | bind9 (1:9.10.3.dfsg.P4-12.6ubuntu1) artful; urgency=medium | ||
236 | 474 | |||
237 | 475 | * Merge with Debian unstable (LP: #1712920). Remaining changes: | ||
238 | 476 | - Add RemainAfterExit to bind9-resolvconf unit configuration file | ||
239 | 477 | (LP #1536181). | ||
240 | 478 | - rules: Fix path to libsofthsm2.so. (LP #1685780) | ||
241 | 479 | - d/p/CVE-2016-8864-regression-test.patch: tests for the regression | ||
242 | 480 | introduced with the CVE-2016-8864.patch and fixed in | ||
243 | 481 | CVE-2016-8864-regression.patch. | ||
244 | 482 | - d/p/CVE-2016-8864-regression2-test.patch: tests for the second | ||
245 | 483 | regression (RT #44318) introduced with the CVE-2016-8864.patch | ||
246 | 484 | and fixed in CVE-2016-8864-regression2.patch. | ||
247 | 485 | - d/control, d/rules: add json support for the statistics channels. | ||
248 | 486 | (LP #1669193) | ||
249 | 487 | |||
250 | 488 | -- Andreas Hasenack <andreas@canonical.com> Thu, 24 Aug 2017 18:28:00 -0300 | ||
251 | 489 | |||
252 | 490 | bind9 (1:9.10.3.dfsg.P4-12.6) unstable; urgency=medium | ||
253 | 491 | |||
254 | 492 | * Non-maintainer upload. | ||
255 | 493 | * Import upcoming DNSSEC KSK-2017 from 9.10.5 (Closes: #860794) | ||
256 | 494 | |||
257 | 495 | -- Bernhard Schmidt <berni@debian.org> Fri, 11 Aug 2017 19:10:07 +0200 | ||
258 | 496 | |||
259 | 497 | bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium | ||
260 | 498 | |||
261 | 499 | * Merge with Debian unstable (LP: #1701687). Remaining changes: | ||
262 | 500 | - Add RemainAfterExit to bind9-resolvconf unit configuration file | ||
263 | 501 | (LP #1536181). | ||
264 | 502 | - rules: Fix path to libsofthsm2.so. (LP #1685780) | ||
265 | 503 | * Drop: | ||
266 | 504 | - SECURITY UPDATE: denial of service via assertion failure | ||
267 | 505 | + debian/patches/CVE-2016-2776.patch: properly handle lengths in | ||
268 | 506 | lib/dns/message.c. | ||
269 | 507 | + CVE-2016-2776 | ||
270 | 508 | + [Fixed in Debian 1:9.10.3.dfsg.P4-11] | ||
271 | 509 | - SECURITY UPDATE: assertion failure via class mismatch | ||
272 | 510 | + debian/patches/CVE-2016-9131.patch: properly handle certain TKEY | ||
273 | 511 | records in lib/dns/resolver.c. | ||
274 | 512 | + CVE-2016-9131 | ||
275 | 513 | + [Fixed in Debian 1:9.10.3.dfsg.P4-11] | ||
276 | 514 | - SECURITY UPDATE: assertion failure via inconsistent DNSSEC information | ||
277 | 515 | + debian/patches/CVE-2016-9147.patch: fix logic when records are | ||
278 | 516 | returned without the requested data in lib/dns/resolver.c. | ||
279 | 517 | + CVE-2016-9147 | ||
280 | 518 | + [Fixed in Debian 1:9.10.3.dfsg.P4-11] | ||
281 | 519 | - SECURITY UPDATE: assertion failure via unusually-formed DS record | ||
282 | 520 | + debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in | ||
283 | 521 | lib/dns/message.c, lib/dns/resolver.c. | ||
284 | 522 | + CVE-2016-9444 | ||
285 | 523 | + [Fixed in Debian 1:9.10.3.dfsg.P4-11] | ||
286 | 524 | - SECURITY UPDATE: regression in CVE-2016-8864 | ||
287 | 525 | + debian/patches/rt43779.patch: properly handle CNAME -> DNAME in | ||
288 | 526 | responses in lib/dns/resolver.c, added tests to | ||
289 | 527 | bin/tests/system/dname/ns2/example.db, | ||
290 | 528 | bin/tests/system/dname/tests.sh. | ||
291 | 529 | + No CVE number | ||
292 | 530 | + [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12] | ||
293 | 531 | - SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing | ||
294 | 532 | a NULL pointer | ||
295 | 533 | + debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz | ||
296 | 534 | combination in bin/named/query.c, lib/dns/message.c, | ||
297 | 535 | lib/dns/rdataset.c. | ||
298 | 536 | + CVE-2017-3135 | ||
299 | 537 | + [Fixed in Debian 1:9.10.3.dfsg.P4-12] | ||
300 | 538 | - SECURITY UPDATE: regression in CVE-2016-8864 | ||
301 | 539 | + debian/patches/rt44318.patch: synthesised CNAME before matching DNAME | ||
302 | 540 | was still being cached when it should have been in lib/dns/resolver.c, | ||
303 | 541 | added tests to bin/tests/system/dname/ans3/ans.pl, | ||
304 | 542 | bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh. | ||
305 | 543 | + No CVE number | ||
306 | 544 | + [Fixed in Debian 1:9.10.3.dfsg.P4-12] | ||
307 | 545 | - SECURITY UPDATE: Denial of Service due to an error handling | ||
308 | 546 | synthesized records when using DNS64 with "break-dnssec yes;" | ||
309 | 547 | + debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64() | ||
310 | 548 | called. | ||
311 | 549 | + CVE-2017-3136 | ||
312 | 550 | + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3] | ||
313 | 551 | - SECURITY UPDATE: Denial of Service due to resolver terminating when | ||
314 | 552 | processing a response packet containing a CNAME or DNAME | ||
315 | 553 | + debian/patches/CVE-2017-3137.patch: don't expect a specific | ||
316 | 554 | ordering of answer components; add testcases. | ||
317 | 555 | + CVE-2017-3137 | ||
318 | 556 | + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files] | ||
319 | 557 | - SECURITY UPDATE: Denial of Service when receiving a null command on | ||
320 | 558 | the control channel | ||
321 | 559 | + debian/patches/CVE-2017-3138.patch: don't throw an assert if no | ||
322 | 560 | command token is given; add testcase. | ||
323 | 561 | + CVE-2017-3138 | ||
324 | 562 | + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3] | ||
325 | 563 | - SECURITY UPDATE: TSIG authentication issues | ||
326 | 564 | + debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in | ||
327 | 565 | lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c. | ||
328 | 566 | + CVE-2017-3142 | ||
329 | 567 | + CVE-2017-3143 | ||
330 | 568 | + [Fixed in Debian 1:9.10.3.dfsg.P4-12.4] | ||
331 | 569 | * d/p/CVE-2016-8864-regression-test.patch: tests for the regression | ||
332 | 570 | introduced with the CVE-2016-8864.patch and fixed in | ||
333 | 571 | CVE-2016-8864-regression.patch. | ||
334 | 572 | * d/p/CVE-2016-8864-regression2-test.patch: tests for the second | ||
335 | 573 | regression (RT #44318) introduced with the CVE-2016-8864.patch | ||
336 | 574 | and fixed in CVE-2016-8864-regression2.patch. | ||
337 | 575 | * d/control, d/rules: add json support for the statistics channels. | ||
338 | 576 | (LP: #1669193) | ||
339 | 577 | |||
340 | 578 | -- Andreas Hasenack <andreas@canonical.com> Fri, 11 Aug 2017 17:12:09 -0300 | ||
341 | 579 | |||
342 | 580 | bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium | ||
343 | 581 | |||
344 | 582 | * Non-maintainer upload. | ||
345 | 583 | * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG | ||
346 | 584 | signed TCP message sequences where not all the messages contain TSIG | ||
347 | 585 | records. These may be used in AXFR and IXFR responses. | ||
348 | 586 | (Closes: #868952) | ||
349 | 587 | |||
350 | 588 | -- Salvatore Bonaccorso <carnil@debian.org> Fri, 21 Jul 2017 22:28:32 +0200 | ||
351 | 589 | |||
352 | 590 | bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high | ||
353 | 591 | |||
354 | 592 | * Non-maintainer upload. | ||
355 | 593 | |||
356 | 594 | [ Yves-Alexis Perez ] | ||
357 | 595 | * debian/patches: | ||
358 | 596 | - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses | ||
359 | 597 | CVE-2017-3142: error in TSIG authentication can permit unauthorized zone | ||
360 | 598 | transfers. An attacker may be able to circumvent TSIG authentication of | ||
361 | 599 | AXFR and Notify requests. | ||
362 | 600 | CVE-2017-3143: error in TSIG authentication can permit unauthorized | ||
363 | 601 | dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0) | ||
364 | 602 | signature for a dynamic update. | ||
365 | 603 | (Closes: #866564) | ||
366 | 604 | |||
367 | 605 | -- Salvatore Bonaccorso <carnil@debian.org> Sun, 16 Jul 2017 22:13:21 +0200 | ||
368 | 606 | |||
369 | 299 | bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium | 607 | bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium |
370 | 300 | 608 | ||
371 | 301 | [ Bernhard Schmidt ] | 609 | [ Bernhard Schmidt ] |
372 | @@ -402,6 +710,98 @@ bind9 (1:9.10.3.dfsg.P4-11) unstable; urgency=medium | |||
373 | 402 | 710 | ||
374 | 403 | -- Michael Gilbert <mgilbert@debian.org> Thu, 19 Jan 2017 04:03:28 +0000 | 711 | -- Michael Gilbert <mgilbert@debian.org> Thu, 19 Jan 2017 04:03:28 +0000 |
375 | 404 | 712 | ||
376 | 713 | bind9 (1:9.10.3.dfsg.P4-10.1ubuntu7) artful; urgency=medium | ||
377 | 714 | |||
378 | 715 | * SECURITY UPDATE: TSIG authentication issues | ||
379 | 716 | - debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in | ||
380 | 717 | lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c. | ||
381 | 718 | - CVE-2017-3142 | ||
382 | 719 | - CVE-2017-3143 | ||
383 | 720 | |||
384 | 721 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 03 Jul 2017 09:48:13 -0400 | ||
385 | 722 | |||
386 | 723 | bind9 (1:9.10.3.dfsg.P4-10.1ubuntu6) artful; urgency=medium | ||
387 | 724 | |||
388 | 725 | * rules: Fix path to libsofthsm2.so. (LP: #1685780) | ||
389 | 726 | |||
390 | 727 | -- Timo Aaltonen <tjaalton@debian.org> Mon, 24 Apr 2017 15:01:30 +0300 | ||
391 | 728 | |||
392 | 729 | bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5) zesty-security; urgency=medium | ||
393 | 730 | |||
394 | 731 | * SECURITY UPDATE: Denial of Service due to an error handling | ||
395 | 732 | synthesized records when using DNS64 with "break-dnssec yes;" | ||
396 | 733 | - debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64() | ||
397 | 734 | called. | ||
398 | 735 | - CVE-2017-3136 | ||
399 | 736 | * SECURITY UPDATE: Denial of Service due to resolver terminating when | ||
400 | 737 | processing a response packet containing a CNAME or DNAME | ||
401 | 738 | - debian/patches/CVE-2017-3137.patch: don't expect a specific | ||
402 | 739 | ordering of answer components; add testcases. | ||
403 | 740 | - CVE-2017-3137 | ||
404 | 741 | * SECURITY UPDATE: Denial of Service when receiving a null command on | ||
405 | 742 | the control channel | ||
406 | 743 | - debian/patches/CVE-2017-3138.patch: don't throw an assert if no | ||
407 | 744 | command token is given; add testcase. | ||
408 | 745 | - CVE-2017-3138 | ||
409 | 746 | |||
410 | 747 | -- Steve Beattie <sbeattie@ubuntu.com> Wed, 12 Apr 2017 01:32:15 -0700 | ||
411 | 748 | |||
412 | 749 | bind9 (1:9.10.3.dfsg.P4-10.1ubuntu4) zesty; urgency=medium | ||
413 | 750 | |||
414 | 751 | * SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing | ||
415 | 752 | a NULL pointer | ||
416 | 753 | - debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz | ||
417 | 754 | combination in bin/named/query.c, lib/dns/message.c, | ||
418 | 755 | lib/dns/rdataset.c. | ||
419 | 756 | - CVE-2017-3135 | ||
420 | 757 | * SECURITY UPDATE: regression in CVE-2016-8864 | ||
421 | 758 | - debian/patches/rt44318.patch: synthesised CNAME before matching DNAME | ||
422 | 759 | was still being cached when it should have been in lib/dns/resolver.c, | ||
423 | 760 | added tests to bin/tests/system/dname/ans3/ans.pl, | ||
424 | 761 | bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh. | ||
425 | 762 | - No CVE number | ||
426 | 763 | |||
427 | 764 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 15 Feb 2017 09:37:39 -0500 | ||
428 | 765 | |||
429 | 766 | bind9 (1:9.10.3.dfsg.P4-10.1ubuntu3) zesty; urgency=medium | ||
430 | 767 | |||
431 | 768 | * SECURITY UPDATE: assertion failure via class mismatch | ||
432 | 769 | - debian/patches/CVE-2016-9131.patch: properly handle certain TKEY | ||
433 | 770 | records in lib/dns/resolver.c. | ||
434 | 771 | - CVE-2016-9131 | ||
435 | 772 | * SECURITY UPDATE: assertion failure via inconsistent DNSSEC information | ||
436 | 773 | - debian/patches/CVE-2016-9147.patch: fix logic when records are | ||
437 | 774 | returned without the requested data in lib/dns/resolver.c. | ||
438 | 775 | - CVE-2016-9147 | ||
439 | 776 | * SECURITY UPDATE: assertion failure via unusually-formed DS record | ||
440 | 777 | - debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in | ||
441 | 778 | lib/dns/message.c, lib/dns/resolver.c. | ||
442 | 779 | - CVE-2016-9444 | ||
443 | 780 | * SECURITY UPDATE: regression in CVE-2016-8864 | ||
444 | 781 | - debian/patches/rt43779.patch: properly handle CNAME -> DNAME in | ||
445 | 782 | responses in lib/dns/resolver.c, added tests to | ||
446 | 783 | bin/tests/system/dname/ns2/example.db, | ||
447 | 784 | bin/tests/system/dname/tests.sh. | ||
448 | 785 | - No CVE number | ||
449 | 786 | |||
450 | 787 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Jan 2017 09:28:10 -0500 | ||
451 | 788 | |||
452 | 789 | bind9 (1:9.10.3.dfsg.P4-10.1ubuntu2) zesty; urgency=medium | ||
453 | 790 | |||
454 | 791 | * Add RemainAfterExit to bind9-resolvconf unit configuration file | ||
455 | 792 | (LP: #1536181). | ||
456 | 793 | |||
457 | 794 | -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Tue, 15 Nov 2016 08:24:58 -0800 | ||
458 | 795 | |||
459 | 796 | bind9 (1:9.10.3.dfsg.P4-10.1ubuntu1) yakkety; urgency=medium | ||
460 | 797 | |||
461 | 798 | * SECURITY UPDATE: denial of service via assertion failure | ||
462 | 799 | - debian/patches/CVE-2016-2776.patch: properly handle lengths in | ||
463 | 800 | lib/dns/message.c. | ||
464 | 801 | - CVE-2016-2776 | ||
465 | 802 | |||
466 | 803 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 04 Oct 2016 14:31:17 -0400 | ||
467 | 804 | |||
468 | 405 | bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium | 805 | bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium |
469 | 406 | 806 | ||
470 | 407 | * Non-maintainer upload. | 807 | * Non-maintainer upload. |
471 | diff --git a/debian/control b/debian/control | |||
472 | index 73c2a17..3d7f03d 100644 | |||
473 | --- a/debian/control | |||
474 | +++ b/debian/control | |||
475 | @@ -1,7 +1,8 @@ | |||
476 | 1 | Source: bind9 | 1 | Source: bind9 |
477 | 2 | Section: net | 2 | Section: net |
478 | 3 | Priority: optional | 3 | Priority: optional |
480 | 4 | Maintainer: Debian DNS Team <team+dns@tracker.debian.org> | 4 | Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
481 | 5 | XSBC-Original-Maintainer: Debian DNS Team <team+dns@tracker.debian.org> | ||
482 | 5 | Uploaders: LaMont Jones <lamont@debian.org>, | 6 | Uploaders: LaMont Jones <lamont@debian.org>, |
483 | 6 | Michael Gilbert <mgilbert@debian.org>, | 7 | Michael Gilbert <mgilbert@debian.org>, |
484 | 7 | Robie Basak <robie.basak@canonical.com>, | 8 | Robie Basak <robie.basak@canonical.com>, |
485 | @@ -15,18 +16,14 @@ Build-Depends: bison, | |||
486 | 15 | dpkg-dev (>= 1.16.1~), | 16 | dpkg-dev (>= 1.16.1~), |
487 | 16 | libcap2-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], | 17 | libcap2-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], |
488 | 17 | libdb-dev (>>4.6), | 18 | libdb-dev (>>4.6), |
489 | 18 | libfstrm-dev, | ||
490 | 19 | libgeoip-dev (>= 1.4.6.dfsg-5), | 19 | libgeoip-dev (>= 1.4.6.dfsg-5), |
491 | 20 | libidn2-dev, | 20 | libidn2-dev, |
492 | 21 | libjson-c-dev, | 21 | libjson-c-dev, |
493 | 22 | libkrb5-dev, | 22 | libkrb5-dev, |
494 | 23 | libldap2-dev, | 23 | libldap2-dev, |
495 | 24 | liblmdb-dev, | ||
496 | 25 | libprotobuf-c-dev, | ||
497 | 26 | libssl-dev, | 24 | libssl-dev, |
498 | 27 | libtool, | 25 | libtool, |
499 | 28 | libxml2-dev, | 26 | libxml2-dev, |
500 | 29 | protobuf-c-compiler, | ||
501 | 30 | python3, | 27 | python3, |
502 | 31 | python3-distutils, | 28 | python3-distutils, |
503 | 32 | python3-ply | 29 | python3-ply |
504 | diff --git a/debian/dnsutils.install b/debian/dnsutils.install | |||
505 | index 90e4fba..5e6b7d9 100644 | |||
506 | --- a/debian/dnsutils.install | |||
507 | +++ b/debian/dnsutils.install | |||
508 | @@ -1,12 +1,10 @@ | |||
509 | 1 | usr/bin/delv | 1 | usr/bin/delv |
510 | 2 | usr/bin/dig | 2 | usr/bin/dig |
511 | 3 | usr/bin/dnstap-read | ||
512 | 4 | usr/bin/mdig | 3 | usr/bin/mdig |
513 | 5 | usr/bin/nslookup | 4 | usr/bin/nslookup |
514 | 6 | usr/bin/nsupdate | 5 | usr/bin/nsupdate |
515 | 7 | usr/share/man/man1/delv.1 | 6 | usr/share/man/man1/delv.1 |
516 | 8 | usr/share/man/man1/dig.1 | 7 | usr/share/man/man1/dig.1 |
517 | 9 | usr/share/man/man1/dnstap-read.1 | ||
518 | 10 | usr/share/man/man1/mdig.1 | 8 | usr/share/man/man1/mdig.1 |
519 | 11 | usr/share/man/man1/nslookup.1 | 9 | usr/share/man/man1/nslookup.1 |
520 | 12 | usr/share/man/man1/nsupdate.1 | 10 | usr/share/man/man1/nsupdate.1 |
521 | diff --git a/debian/libdns1104.symbols b/debian/libdns1104.symbols | |||
522 | index a3b9f10..7b6020e 100644 | |||
523 | --- a/debian/libdns1104.symbols | |||
524 | +++ b/debian/libdns1104.symbols | |||
525 | @@ -358,21 +358,6 @@ libdns-pkcs11.so.1104 libdns1104 #MINVER# | |||
526 | 358 | dns_dsdigest_format@Base 1:9.11.3+dfsg | 358 | dns_dsdigest_format@Base 1:9.11.3+dfsg |
527 | 359 | dns_dsdigest_fromtext@Base 1:9.11.3+dfsg | 359 | dns_dsdigest_fromtext@Base 1:9.11.3+dfsg |
528 | 360 | dns_dsdigest_totext@Base 1:9.11.3+dfsg | 360 | dns_dsdigest_totext@Base 1:9.11.3+dfsg |
529 | 361 | dns_dt_attach@Base 1:9.11.4+dfsg-2 | ||
530 | 362 | dns_dt_close@Base 1:9.11.4+dfsg-2 | ||
531 | 363 | dns_dt_create@Base 1:9.11.4+dfsg-2 | ||
532 | 364 | dns_dt_datatotext@Base 1:9.11.4+dfsg-2 | ||
533 | 365 | dns_dt_detach@Base 1:9.11.4+dfsg-2 | ||
534 | 366 | dns_dt_getframe@Base 1:9.11.4+dfsg-2 | ||
535 | 367 | dns_dt_getstats@Base 1:9.11.4+dfsg-2 | ||
536 | 368 | dns_dt_open@Base 1:9.11.4+dfsg-2 | ||
537 | 369 | dns_dt_parse@Base 1:9.11.4+dfsg-2 | ||
538 | 370 | dns_dt_reopen@Base 1:9.11.4+dfsg-2 | ||
539 | 371 | dns_dt_send@Base 1:9.11.4+dfsg-2 | ||
540 | 372 | dns_dt_setidentity@Base 1:9.11.4+dfsg-2 | ||
541 | 373 | dns_dt_setversion@Base 1:9.11.4+dfsg-2 | ||
542 | 374 | dns_dt_shutdown@Base 1:9.11.4+dfsg-2 | ||
543 | 375 | dns_dtdata_free@Base 1:9.11.4+dfsg-2 | ||
544 | 376 | dns_dumpctx_attach@Base 1:9.11.3+dfsg | 361 | dns_dumpctx_attach@Base 1:9.11.3+dfsg |
545 | 377 | dns_dumpctx_cancel@Base 1:9.11.3+dfsg | 362 | dns_dumpctx_cancel@Base 1:9.11.3+dfsg |
546 | 378 | dns_dumpctx_db@Base 1:9.11.3+dfsg | 363 | dns_dumpctx_db@Base 1:9.11.3+dfsg |
547 | @@ -1443,24 +1428,6 @@ libdns-pkcs11.so.1104 libdns1104 #MINVER# | |||
548 | 1443 | dns_zt_setviewcommit@Base 1:9.11.3+dfsg | 1428 | dns_zt_setviewcommit@Base 1:9.11.3+dfsg |
549 | 1444 | dns_zt_setviewrevert@Base 1:9.11.3+dfsg | 1429 | dns_zt_setviewrevert@Base 1:9.11.3+dfsg |
550 | 1445 | dns_zt_unmount@Base 1:9.11.3+dfsg | 1430 | dns_zt_unmount@Base 1:9.11.3+dfsg |
551 | 1446 | dnstap__dnstap__descriptor@Base 1:9.11.4+dfsg-2 | ||
552 | 1447 | dnstap__dnstap__free_unpacked@Base 1:9.11.4+dfsg-2 | ||
553 | 1448 | dnstap__dnstap__get_packed_size@Base 1:9.11.4+dfsg-2 | ||
554 | 1449 | dnstap__dnstap__init@Base 1:9.11.4+dfsg-2 | ||
555 | 1450 | dnstap__dnstap__pack@Base 1:9.11.4+dfsg-2 | ||
556 | 1451 | dnstap__dnstap__pack_to_buffer@Base 1:9.11.4+dfsg-2 | ||
557 | 1452 | dnstap__dnstap__type__descriptor@Base 1:9.11.4+dfsg-2 | ||
558 | 1453 | dnstap__dnstap__unpack@Base 1:9.11.4+dfsg-2 | ||
559 | 1454 | dnstap__message__descriptor@Base 1:9.11.4+dfsg-2 | ||
560 | 1455 | dnstap__message__free_unpacked@Base 1:9.11.4+dfsg-2 | ||
561 | 1456 | dnstap__message__get_packed_size@Base 1:9.11.4+dfsg-2 | ||
562 | 1457 | dnstap__message__init@Base 1:9.11.4+dfsg-2 | ||
563 | 1458 | dnstap__message__pack@Base 1:9.11.4+dfsg-2 | ||
564 | 1459 | dnstap__message__pack_to_buffer@Base 1:9.11.4+dfsg-2 | ||
565 | 1460 | dnstap__message__type__descriptor@Base 1:9.11.4+dfsg-2 | ||
566 | 1461 | dnstap__message__unpack@Base 1:9.11.4+dfsg-2 | ||
567 | 1462 | dnstap__socket_family__descriptor@Base 1:9.11.4+dfsg-2 | ||
568 | 1463 | dnstap__socket_protocol__descriptor@Base 1:9.11.4+dfsg-2 | ||
569 | 1464 | dst__entropy_getdata@Base 1:9.11.3+dfsg | 1431 | dst__entropy_getdata@Base 1:9.11.3+dfsg |
570 | 1465 | dst__entropy_status@Base 1:9.11.3+dfsg | 1432 | dst__entropy_status@Base 1:9.11.3+dfsg |
571 | 1466 | dst__gssapi_init@Base 1:9.11.3+dfsg | 1433 | dst__gssapi_init@Base 1:9.11.3+dfsg |
572 | @@ -1940,21 +1907,6 @@ libdns.so.1104 libdns1104 #MINVER# | |||
573 | 1940 | dns_dsdigest_format@Base 1:9.11.3+dfsg | 1907 | dns_dsdigest_format@Base 1:9.11.3+dfsg |
574 | 1941 | dns_dsdigest_fromtext@Base 1:9.11.3+dfsg | 1908 | dns_dsdigest_fromtext@Base 1:9.11.3+dfsg |
575 | 1942 | dns_dsdigest_totext@Base 1:9.11.3+dfsg | 1909 | dns_dsdigest_totext@Base 1:9.11.3+dfsg |
576 | 1943 | dns_dt_attach@Base 1:9.11.4+dfsg-2 | ||
577 | 1944 | dns_dt_close@Base 1:9.11.4+dfsg-2 | ||
578 | 1945 | dns_dt_create@Base 1:9.11.4+dfsg-2 | ||
579 | 1946 | dns_dt_datatotext@Base 1:9.11.4+dfsg-2 | ||
580 | 1947 | dns_dt_detach@Base 1:9.11.4+dfsg-2 | ||
581 | 1948 | dns_dt_getframe@Base 1:9.11.4+dfsg-2 | ||
582 | 1949 | dns_dt_getstats@Base 1:9.11.4+dfsg-2 | ||
583 | 1950 | dns_dt_open@Base 1:9.11.4+dfsg-2 | ||
584 | 1951 | dns_dt_parse@Base 1:9.11.4+dfsg-2 | ||
585 | 1952 | dns_dt_reopen@Base 1:9.11.4+dfsg-2 | ||
586 | 1953 | dns_dt_send@Base 1:9.11.4+dfsg-2 | ||
587 | 1954 | dns_dt_setidentity@Base 1:9.11.4+dfsg-2 | ||
588 | 1955 | dns_dt_setversion@Base 1:9.11.4+dfsg-2 | ||
589 | 1956 | dns_dt_shutdown@Base 1:9.11.4+dfsg-2 | ||
590 | 1957 | dns_dtdata_free@Base 1:9.11.4+dfsg-2 | ||
591 | 1958 | dns_dumpctx_attach@Base 1:9.11.3+dfsg | 1910 | dns_dumpctx_attach@Base 1:9.11.3+dfsg |
592 | 1959 | dns_dumpctx_cancel@Base 1:9.11.3+dfsg | 1911 | dns_dumpctx_cancel@Base 1:9.11.3+dfsg |
593 | 1960 | dns_dumpctx_db@Base 1:9.11.3+dfsg | 1912 | dns_dumpctx_db@Base 1:9.11.3+dfsg |
594 | @@ -3032,24 +2984,6 @@ libdns.so.1104 libdns1104 #MINVER# | |||
595 | 3032 | dns_zt_setviewcommit@Base 1:9.11.3+dfsg | 2984 | dns_zt_setviewcommit@Base 1:9.11.3+dfsg |
596 | 3033 | dns_zt_setviewrevert@Base 1:9.11.3+dfsg | 2985 | dns_zt_setviewrevert@Base 1:9.11.3+dfsg |
597 | 3034 | dns_zt_unmount@Base 1:9.11.3+dfsg | 2986 | dns_zt_unmount@Base 1:9.11.3+dfsg |
598 | 3035 | dnstap__dnstap__descriptor@Base 1:9.11.4+dfsg-2 | ||
599 | 3036 | dnstap__dnstap__free_unpacked@Base 1:9.11.4+dfsg-2 | ||
600 | 3037 | dnstap__dnstap__get_packed_size@Base 1:9.11.4+dfsg-2 | ||
601 | 3038 | dnstap__dnstap__init@Base 1:9.11.4+dfsg-2 | ||
602 | 3039 | dnstap__dnstap__pack@Base 1:9.11.4+dfsg-2 | ||
603 | 3040 | dnstap__dnstap__pack_to_buffer@Base 1:9.11.4+dfsg-2 | ||
604 | 3041 | dnstap__dnstap__type__descriptor@Base 1:9.11.4+dfsg-2 | ||
605 | 3042 | dnstap__dnstap__unpack@Base 1:9.11.4+dfsg-2 | ||
606 | 3043 | dnstap__message__descriptor@Base 1:9.11.4+dfsg-2 | ||
607 | 3044 | dnstap__message__free_unpacked@Base 1:9.11.4+dfsg-2 | ||
608 | 3045 | dnstap__message__get_packed_size@Base 1:9.11.4+dfsg-2 | ||
609 | 3046 | dnstap__message__init@Base 1:9.11.4+dfsg-2 | ||
610 | 3047 | dnstap__message__pack@Base 1:9.11.4+dfsg-2 | ||
611 | 3048 | dnstap__message__pack_to_buffer@Base 1:9.11.4+dfsg-2 | ||
612 | 3049 | dnstap__message__type__descriptor@Base 1:9.11.4+dfsg-2 | ||
613 | 3050 | dnstap__message__unpack@Base 1:9.11.4+dfsg-2 | ||
614 | 3051 | dnstap__socket_family__descriptor@Base 1:9.11.4+dfsg-2 | ||
615 | 3052 | dnstap__socket_protocol__descriptor@Base 1:9.11.4+dfsg-2 | ||
616 | 3053 | dst__entropy_getdata@Base 1:9.11.3+dfsg | 2987 | dst__entropy_getdata@Base 1:9.11.3+dfsg |
617 | 3054 | dst__entropy_status@Base 1:9.11.3+dfsg | 2988 | dst__entropy_status@Base 1:9.11.3+dfsg |
618 | 3055 | dst__gssapi_init@Base 1:9.11.3+dfsg | 2989 | dst__gssapi_init@Base 1:9.11.3+dfsg |
619 | diff --git a/debian/patches/enable-udp-in-host-command.diff b/debian/patches/enable-udp-in-host-command.diff | |||
620 | 3056 | new file mode 100644 | 2990 | new file mode 100644 |
621 | index 0000000..5444ae7 | |||
622 | --- /dev/null | |||
623 | +++ b/debian/patches/enable-udp-in-host-command.diff | |||
624 | @@ -0,0 +1,26 @@ | |||
625 | 1 | Description: Fix parsing of host(1)'s -U command line option | ||
626 | 2 | Author: Andreas Hasenack <andreas@canonical.com> | ||
627 | 3 | Bug: https://gitlab.isc.org/isc-projects/bind9/issues/769 | ||
628 | 4 | Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1804648 | ||
629 | 5 | Applied-Upstream: https://gitlab.isc.org/isc-projects/bind9/commit/5e2cd91321cdda1707411c4e268d364f03f63935 | ||
630 | 6 | Last-Update: 2018-12-06 | ||
631 | 7 | --- | ||
632 | 8 | This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ | ||
633 | 9 | --- a/bin/dig/host.c | ||
634 | 10 | +++ b/bin/dig/host.c | ||
635 | 11 | @@ -158,6 +158,7 @@ | ||
636 | 12 | " -s a SERVFAIL response should stop query\n" | ||
637 | 13 | " -t specifies the query type\n" | ||
638 | 14 | " -T enables TCP/IP mode\n" | ||
639 | 15 | +" -U enables UDP mode\n" | ||
640 | 16 | " -v enables verbose output\n" | ||
641 | 17 | " -V print version number and exit\n" | ||
642 | 18 | " -w specifies to wait forever for a reply\n" | ||
643 | 19 | @@ -657,6 +658,7 @@ | ||
644 | 20 | case 'N': break; | ||
645 | 21 | case 'R': break; | ||
646 | 22 | case 'T': break; | ||
647 | 23 | + case 'U': break; | ||
648 | 24 | case 'W': break; | ||
649 | 25 | default: | ||
650 | 26 | show_usage(); | ||
651 | diff --git a/debian/patches/fix-shutdown-race.diff b/debian/patches/fix-shutdown-race.diff | |||
652 | 0 | new file mode 100644 | 27 | new file mode 100644 |
653 | index 0000000..f10f51f | |||
654 | --- /dev/null | |||
655 | +++ b/debian/patches/fix-shutdown-race.diff | |||
656 | @@ -0,0 +1,41 @@ | |||
657 | 1 | From f2ca287330110993609fa0443d3bdb17629bd979 Mon Sep 17 00:00:00 2001 | ||
658 | 2 | From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org> | ||
659 | 3 | Date: Tue, 13 Nov 2018 13:50:47 +0100 | ||
660 | 4 | Subject: [PATCH 1/2] Fix a shutdown race in bin/dig/dighost.c | ||
661 | 5 | |||
662 | 6 | If a tool using the routines defined in bin/dig/dighost.c is sent an | ||
663 | 7 | interruption signal around the time a connection timeout is scheduled to | ||
664 | 8 | fire, connect_timeout() may be executed after destroy_libs() detaches | ||
665 | 9 | from the global task (setting 'global_task' to NULL), which results in a | ||
666 | 10 | crash upon a UDP retry due to bringup_timer() attempting to create a | ||
667 | 11 | timer with 'task' set to NULL. Fix by preventing connect_timeout() from | ||
668 | 12 | attempting a retry when shutdown is in progress. | ||
669 | 13 | |||
670 | 14 | (cherry picked from commit 462175659674a10c0d39c7c328f1a5324ce2e38b) | ||
671 | 15 | |||
672 | 16 | Origin: https://gitlab.isc.org/isc-projects/bind9/merge_requests/1040/diffs | ||
673 | 17 | Bug: https://gitlab.isc.org/isc-projects/bind9/issues/599 | ||
674 | 18 | Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1797926 | ||
675 | 19 | Last-Update: 2018-12-06 | ||
676 | 20 | |||
677 | 21 | --- | ||
678 | 22 | bin/dig/dighost.c | 5 +++++ | ||
679 | 23 | 1 file changed, 5 insertions(+) | ||
680 | 24 | diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c | ||
681 | 25 | index 39abb9d0fd..17e0328228 100644 | ||
682 | 26 | --- a/bin/dig/dighost.c | ||
683 | 27 | +++ b/bin/dig/dighost.c | ||
684 | 28 | @@ -3240,6 +3240,11 @@ connect_timeout(isc_task_t *task, isc_event_t *event) { | ||
685 | 29 | |||
686 | 30 | INSIST(!free_now); | ||
687 | 31 | |||
688 | 32 | + if (cancel_now) { | ||
689 | 33 | + UNLOCK_LOOKUP; | ||
690 | 34 | + return; | ||
691 | 35 | + } | ||
692 | 36 | + | ||
693 | 37 | if ((query != NULL) && (query->lookup->current_query != NULL) && | ||
694 | 38 | ISC_LINK_LINKED(query->lookup->current_query, link) && | ||
695 | 39 | (ISC_LIST_NEXT(query->lookup->current_query, link) != NULL)) { | ||
696 | 40 | -- | ||
697 | 41 | 2.18.1 | ||
698 | diff --git a/debian/patches/series b/debian/patches/series | |||
699 | index 348be41..75144c4 100644 | |||
700 | --- a/debian/patches/series | |||
701 | +++ b/debian/patches/series | |||
702 | @@ -8,3 +8,5 @@ | |||
703 | 8 | 80_reproducible_build.diff | 8 | 80_reproducible_build.diff |
704 | 9 | Add_--install-layout=deb_to_setup.py_call.patch | 9 | Add_--install-layout=deb_to_setup.py_call.patch |
705 | 10 | skip-rtld-deepbind-for-dyndb.diff | 10 | skip-rtld-deepbind-for-dyndb.diff |
706 | 11 | enable-udp-in-host-command.diff | ||
707 | 12 | fix-shutdown-race.diff | ||
708 | diff --git a/debian/rules b/debian/rules | |||
709 | index 7edd414..1a22081 100755 | |||
710 | --- a/debian/rules | |||
711 | +++ b/debian/rules | |||
712 | @@ -91,7 +91,7 @@ override_dh_auto_configure: | |||
713 | 91 | --with-gssapi=/usr \ | 91 | --with-gssapi=/usr \ |
714 | 92 | --with-libidn2 \ | 92 | --with-libidn2 \ |
715 | 93 | --with-libjson=/usr \ | 93 | --with-libjson=/usr \ |
717 | 94 | --with-lmdb=/usr \ | 94 | --without-lmdb \ |
718 | 95 | --with-gnu-ld \ | 95 | --with-gnu-ld \ |
719 | 96 | --with-geoip=/usr \ | 96 | --with-geoip=/usr \ |
720 | 97 | --with-atf=no \ | 97 | --with-atf=no \ |
721 | @@ -101,7 +101,6 @@ override_dh_auto_configure: | |||
722 | 101 | --enable-native-pkcs11 \ | 101 | --enable-native-pkcs11 \ |
723 | 102 | --with-pkcs11=\$${prefix}/lib/softhsm/libsofthsm2.so \ | 102 | --with-pkcs11=\$${prefix}/lib/softhsm/libsofthsm2.so \ |
724 | 103 | --with-randomdev=/dev/urandom \ | 103 | --with-randomdev=/dev/urandom \ |
725 | 104 | --enable-dnstap \ | ||
726 | 105 | --with-eddsa=no \ | 104 | --with-eddsa=no \ |
727 | 106 | $(EXTRA_FEATURES) | 105 | $(EXTRA_FEATURES) |
728 | 107 | dh_auto_configure -B build-udeb -- \ | 106 | dh_auto_configure -B build-udeb -- \ |
729 | @@ -128,8 +127,6 @@ override_dh_auto_configure: | |||
730 | 128 | # no need to build these targets here | 127 | # no need to build these targets here |
731 | 129 | sed -i 's/dnssec-pkcs11//;s/named-pkcs11//' build-udeb/bin/Makefile | 128 | sed -i 's/dnssec-pkcs11//;s/named-pkcs11//' build-udeb/bin/Makefile |
732 | 130 | sed -i 's/dns-pkcs11//;s/isc-pkcs11//' build-udeb/lib/Makefile | 129 | sed -i 's/dns-pkcs11//;s/isc-pkcs11//' build-udeb/lib/Makefile |
733 | 131 | cp lib/dns/dnstap.proto build/lib/dns | ||
734 | 132 | cp lib/dns-pkcs11/dnstap.proto build/lib/dns-pkcs11 | ||
735 | 133 | 130 | ||
736 | 134 | override_dh_auto_build: | 131 | override_dh_auto_build: |
737 | 135 | dh_auto_build -B build | 132 | dh_auto_build -B build |
738 | diff --git a/debian/tests/simpletest b/debian/tests/simpletest | |||
739 | index 468a7c5..34b0b25 100755 | |||
740 | --- a/debian/tests/simpletest | |||
741 | +++ b/debian/tests/simpletest | |||
742 | @@ -10,10 +10,6 @@ setup() { | |||
743 | 10 | run() { | 10 | run() { |
744 | 11 | # Make a query against a local zone | 11 | # Make a query against a local zone |
745 | 12 | dig -x 127.0.0.1 @127.0.0.1 | 12 | dig -x 127.0.0.1 @127.0.0.1 |
746 | 13 | |||
747 | 14 | # Make a query against an external nameserver and check for DNSSEC validation | ||
748 | 15 | echo "Checking for DNSSEC validation status of internetsociety.org" | ||
749 | 16 | dig -t a internetsociety.org @127.0.0.1 | egrep 'flags:.+ad; QUERY' | ||
750 | 17 | } | 13 | } |
751 | 18 | 14 | ||
752 | 19 | teardown() { | 15 | teardown() { |
back to wip while I confirm that the reverse-depends can be rebuilt